According to recent research, the authenticator app by Google for Android is susceptible to major malware known as Cerberus. As per the cybersecurity specialist ThreatFabric, the malware is a banking related Trojan that can access one-time passcodes generated by the app and enable the hackers to get access to the banking details of the users,
The Google Authenticator app is known to offer two-step authentication to online accounts. It is perceived as a better and secured alternative than receiving passcodes via SMS by using cellular network access
Once it is successfully installed, Cerberus has the potential of logging the keystrokes and accessing all the SMS text messages in your Smartphone. Besides that, it can trick you on giving your password to one of the mobile banking apps by making a fake login window on the phone.
As per ThreatFabric: “When the app is running, The Trojan can get the content of the interface and can send it to the C2 (command-and-control) server. Once again we can deduce that this functionality will be used to bypass authentication services that rely on (one-time) codes.”
The bright side is that the vulnerability has limitations as the infected phone’s users have an authority to grant access to this malware towards Google Authentication App’s interface. The Trojan will act as a ‘Flash Player’ and ask the users to grant it the Android Accessibility Services privileges, the feature designed specifically for the users with a disability
The General Manager of ThreatFabric Gaetan Van Diemen said: “As long as the victim hasn’t granted it, the Trojan will ask for it.” He further added: “Once granted, the bot will be able to read/visualize all information on the infected device’s screen but also click and interact with the content.”
The creators of Cerberus are renting out the access to the Trojan to a Russian Hacking forum. For three months of access, the rental price is about $4,000. According to the creators, the spread of this Trojan is entirely on the users and to avoid it one must stick to the authentic play store for downloading the apps as it filters out malicious products. It is believed that malicious links can be circulated from the infected mobile via SMS and emails
Van Diemen showed his utmost concern saying Google has yet to state its comment on the report submitted by the ThreatFabric. Indeed it is not just the 2FA Authenticator App by the company that is only affected by accessing the Accessibility service, the malware can dig out the information from any app on the smartphone.